[Request/Done] Let's Encrypt Container


rix

Recommended Posts

@jrdnlc - Can you post your entire default file code including what you have in for the plex entries? (Make sure to X out any personal details)

 

Does the log say anything relevant?

 

And are you restarting the nginx docker after each change?

 

I'll send you the pastebin link via Pm and yeah I'm restarting the docker after changes.

Link to comment

I tried using Nginex-letsencrypt with EmbyServer aswell now and it seems to work fine.

 

I just added another location I found in the Emby forums to my config.

 

location /emby {
# Send traffic to the backend
proxy_pass http://192.168.xxx.x:8096/emby;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_redirect off;

# Send websocket data to the backend aswell
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

 

As I don't really understand much from this and already got Nextcloud running fine with the help of kamhighways guide from here (https://lime-technology.com/forum/index.php?topic=51466.0) I have already included a proxy.conf file located under /mnt/cache/appdata/letsecrypt/nginx/

which looks like this

 

client_max_body_size 10m;
client_body_buffer_size 128k;

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

So my question is if I could just use this instead of the one I found in the Emby Forums (as some lines are a bit different) and just add the following as a location to my config.

location /emby {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.xxx.x:8096/emby;

Link to comment

Have you tested any of the apps externally? I have my emby set up behind apache, and it works great with the web client, but I can't get any of the emby apps to see it.

I have Emby setup behind nginx and working both on internal and external network on both Android and ios :)

Link to comment

Have you tested any of the apps externally? I have my emby set up behind apache, and it works great with the web client, but I can't get any of the emby apps to see it.

I have Emby setup behind nginx and working both on internal and external network on both Android and ios :)

 

Its working for me aswell.

Just kept it like this now with the proxy.conf file included.

 

location /emby {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.xxx.x:8096/emby;

 

Did you do it the same way?

 

Would it be possible to use localhost instead of my unraid ip btw and is it a good idea generally?

Link to comment

How can I block access to domain.com/test.txt, /folder, /sample.doc etc etc ?

 

EDIT: I would like to know a more elegant method to do this, but in the meantime you can block multiple files / directories using this location format:

 

location ~ /(dir1|dir2|dir3|file1.ext|file2.ext|file3.ext) {
	deny all;
	return 404;
}

 

I would also like to know this! I didn't even realise that they could be accessed!

Link to comment

How can I block access to domain.com/test.txt, /folder, /sample.doc etc etc ?

 

EDIT: I would like to know a more elegant method to do this, but in the meantime you can block multiple files / directories using this location format:

 

location ~ /(dir1|dir2|dir3|file1.ext|file2.ext|file3.ext) {
	deny all;
	return 404;
}

 

I would also like to know this! I didn't even realise that they could be accessed!

 

Where in the config file do I enter that code? I tried all the way at the bottom but it messes up my whole domain.com page.

Link to comment

Have you tested any of the apps externally? I have my emby set up behind apache, and it works great with the web client, but I can't get any of the emby apps to see it.

I have Emby setup behind nginx and working both on internal and external network on both Android and ios :)

 

 

I'm having trouble adding the server to android devices (android app) outside of local network.

web broswer traffic works fine internal and external

When you add the server are you putting port 443 as the port? and the host as https://my.subdomain/emby

 

my proxy and default conf below

Thanks!

 

Proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

	
location /emby {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.#.#:8096/emby;

Link to comment

How can I block access to domain.com/test.txt, /folder, /sample.doc etc etc ?

 

EDIT: I would like to know a more elegant method to do this, but in the meantime you can block multiple files / directories using this location format:

 

location ~ /(dir1|dir2|dir3|file1.ext|file2.ext|file3.ext) {
	deny all;
	return 404;
}

 

I would also like to know this! I didn't even realise that they could be accessed!

 

Where in the config file do I enter that code? I tried all the way at the bottom but it messes up my whole domain.com page.

 

Put it in the same place as your other location directives. Make sure that you do not include any directories that house resources like CSS, images, etc. that any html/php files need access to. The deny all is a literal deny ALL.

 

I'm still trying to work out how to stop direct-linking to images / css files whilst still allowing the server to serve them in web-pages. Apparently it can be done with nginx referer parameters, but I couldn't get it to work.

Link to comment
I'm using a template from here: html5up.net

 

Just download one and modify the index.html

 

The guy is super talented and these are really easy to customize

Thanks for sharing aptalca. The webUI is showing a nice overview now :-) However I don't quite understand how to open the Apps by clicking on the nice buttons. Where does this need to be added? https://192.168.xxx.xxx:xxx/nextcloud

 

Another question on how the conf files act together. E.g. the definition client_max_body_size can be found in all three files below.

What is best practice for all these definitions?

 

Would that work:

proxy.conf: anything starting with proxy_ and removing the rest

default: removing this as nginx.conf already contains these definitions.

ssl_prefer_server_ciphers on

add_header Strict-Transport-Security

client_max_body_size

 

proxy.conf:

client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

nginx.conf:

user nobody users;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
}

http {

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

client_max_body_size 0;

include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;

gzip on;
gzip_disable "msie6";

text/javascript;

include /etc/nginx/conf.d/*.conf;
        include /config/nginx/site-confs/*;
        
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

}

 

default:

server {
listen 80;

listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name server.dyndns.com;

ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

        client_max_body_size 10G;
        fastcgi_buffers 64 4K;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
}

location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.178.28:444/nextcloud;
}

        location /emby {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.178.28:8096/emby;
        }

        location /calibre {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.178.28:8083/calibre;
        }

        location /tvheadend {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.178.28:9982/tvheadend;
        }
}

Link to comment

I'm using a template from here: html5up.net

 

Just download one and modify the index.html

 

The guy is super talented and these are really easy to customize

Thanks for sharing aptalca. The webUI is showing a nice overview now :-) However I don't quite understand how to open the Apps by clicking on the nice buttons. Where does this need to be added? https://192.168.xxx.xxx:xxx/nextcloud

 

You need to edit the HTML file(s) to include links to your apps. If you are using reverse proxy, use your domain, not the IP (local IPs will only work from the local network / VPN).

 

If you don't know HTML: http://www.w3schools.com/html/

Link to comment

Great link, thanks a lot cglatot.

 

Is there anyone with some advise on the 2nd question on how the conf files are working together?

Sure, you can modify them however you like. Nginx gives different priorities to different config files when there are duplicate parameters set.

 

For instance nginx.conf can set a parameter for all, but then you can override that in a specific server block while leaving the others as default

Link to comment

So I can't seem to get this figured out. I have the  default page working but when I edit the "default" file to add the location for one of my services, once i restart the docker it shows  *starting nginx nginx ...fail!

 

I've looked at multiple file setups and tried to emulate but nothing so far has worked :(

Link to comment

So I can't seem to get this figured out. I have the  default page working but when I edit the "default" file to add the location for one of my services, once i restart the docker it shows  *starting nginx nginx ...fail!

 

I've looked at multiple file setups and tried to emulate but nothing so far has worked :(

We can't say anything without seeing the config file

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.